Falafel - Hackthebox.eu

Writeup on the Falafel box that has been retire since yesterday. This is one of the harder boxes I’ve done so far. Lets get started!

Enumeration

As always, I start with my trusted nmap scan on all ports:

 

nmap -sC -sV -p- -oA nmap-initialscan 10.10.10.73

Nmap scan report for 10.10.10.73
Host is up (0.096s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
| 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have a webserver running at port 80 and a SSH service at port 22. Lets fire up gobuster to explore the webserver. I switched to user both the common.txt wordlists from Seclist as well as the directory-list-2.3-medium.txt that is included with Kali.

gobuster -u 10.10.10.73 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x .html,.txt,.pdf,.cgi,.php,.asp,.aspx

Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.73/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 204,301,302,307,200
[+] Extensions : .html,.txt,.pdf,.cgi,.php,.asp,.aspx
=====================================================
/assets (Status: 301)
/css (Status: 301)
/footer.php (Status: 200)
/header.php (Status: 200)
/images (Status: 301)
/index.php (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/login.php (Status: 200)
/logout.php (Status: 302)
/profile.php (Status: 302)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/style.php (Status: 200)
/upload.php (Status: 302)
/uploads (Status: 301)

Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.73/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 204,301,302,307,200
[+] Extensions : .html,.txt,.pdf,.cgi,.php,.asp,.aspx
=====================================================
/images (Status: 301)
/index.php (Status: 200)
/login.php (Status: 200)
/profile.php (Status: 302)
/uploads (Status: 301)
/header.php (Status: 200)
/assets (Status: 301)
/footer.php (Status: 200)
/upload.php (Status: 302)
/css (Status: 301)
/style.php (Status: 200)
/js (Status: 301)
/logout.php (Status: 302)
/robots.txt (Status: 200)
/cyberlaw.txt (Status: 200)
/connection.php (Status: 200)

Where common.txt showed most of the same stuff as the medium wordlist, I see some big differences with one standing out : http://10.10.10.73/cyberlaw.txt. Lets see whats in this txt file:

From: Falafel Network Admin ([email protected])
Subject: URGENT!! MALICIOUS SITE TAKE OVER!
Date: November 25, 2017 3:30:58 PM PDT
To: [email protected], [email protected]
Delivery-Date: Tue, 25 Nov 2017 15:31:01 -0700
Mime-Version: 1.0
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***

A user named “chris” has informed me that he could log into MY account without knowing the password,
then take FULL CONTROL of the website using the image upload feature.
We got a cyber protection on the login form, and a senior php developer worked on filtering the URL of the upload,
so I have no idea how he did it.

Dear lawyers, please handle him. I believe Cyberlaw is on our side.
Dear develpors, fix this broken site ASAP.

~admin

Seems like my next target will be the upload function on the website. And I need to checkout the login bypass as well. Let’s conclude the enumeration by finding out the php-version that is running on the machine.

 

Exploitation

I first want to look at the login screen on http://10.10.10.73/login.php. I fire up sqlmap to see if it can force some SQL-injection. I use the wizard option for this (since I am lazy).

While that is running, lets look at the image upload function.

 

Privilege escalation

Priv Esc

 

https://hkh4cks.com/blog/2018/06/24/htb-falafel-walkthrough/

HackTheBox: Falafel

Ippsec:

 

Show Comments